Europe’s General Data Protection Regulation from a cyber security perspective

September 2016 | EXPERT BRIEFING | DATA PRIVACY

financierworldwide.com

The entry into force of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, or GDPR) would imply one of the biggest changes to the European data protection regime since the approval of the Data Protection Directive.

The Regulation will not be fully applicable until 25 May 2018. In the meantime, the approval and the entry into force of the long awaited Directive on Security of Networks and Information Systems (NIS Directive) are expected to occur. This Directive is aimed and harmonising the regulation on cyber security among Member States and at the establishment of an EU-wide system of sharing and exchanging information between Member States. The Directive is also expected to lead to greater cooperation between Member States and their competent authorities through a network of national Computer Security Incidents Response Teams (CSIRTs).

As of today, it is not clear whether the legal provisions included in both the General Data Protection Regulation and the NIS Directive, such as reporting obligations, would be overlapped or duplicated by the other text. In this regard, our understanding is that the national regulators should make both regimes compatible so as to avoid, to the maximum extent possible, the duplication of reporting obligations for companies.

From a GDPR perspective, data controllers are expected to assess whether the processing activities and the potential risks for data subjects resulting from those activities are covered by the security measures in force. In this regard, the Regulation does not state the specific security measures or the minimum technical standards of such security measures in order to be considered as sufficient or compliant with the legal regime in force. The Regulation just sets the duty on businesses to assess and decide what type of measure shall be implemented in order to comply with the regime stated in the Regulation and to avoid to the maximum extent possible any cyber security breach or data leakage.

This new regime would imply a completely different approach regarding the security measures than the current regime in force, for instance, in Spain. Spanish legislation on data protection includes, within its developing regulations, the technical standards legally required so as to determine whether the measures implemented and in force are appropriate to safeguard the use and access to the relevant data processed by the relevant company.

However, the Regulation sets the duty/burden on companies to assess and decide what type of measures they shall put in place instead of just following the applicable legal requirements. This new approach would lead to a scenario in which the security measures implemented by a company would only be checked by the authorities in case a data breach arises. Therefore, companies should implement measures that are at the forefront of the art and should be able to evidence that those measures were enough to avoid, as much as possible, any potential data breach.

The General Data Protection Regulation, states that personal data breaches must be notified to the relevant supervisory authority normally no later than 72 hours after the data controller becomes aware of such a breach. In this regard, the NIS Directive also imposes a duty on companies to report cyber security breaches to the relevant competent authority at a national level, in case they are considered to be operating “essential services” (such as, energy, banking or finance) or providing digital services. In this regard the directive distinguishes between the services being offered by companies in respect of the size of the business or digital companies.

As of today, there is no certainty about how the notification obligations will be applied, taking into consideration that Member States will have, in principle, a comprehensive freedom of choice regarding the scope of this obligation (i.e., reporting timescales or sanctions/penalties).

The General Data Protection Regulation is also based on the privacy by design principle. This principle states that any product or service shall be designed from the very beginning with data minimisation standards in mind. Therefore, businesses shall warrant and limit the processing of personal data only to the strictly necessary extent to achieve the purpose for which the data is gathered; and the access to such data shall be limited to those who need it for the execution of their duties.

As mentioned, companies would not have clear guidelines to ascertain what kind of measures would need to be implemented in order to comply with the provisions included in the General Data Protection Regulation. Consequently, companies should assess, on a recurrent basis, whether the measures implemented are enough as to provide sufficient warranties to avoid any data breach or leakage according to the state of art at the time being.

This kind of uncertainty on the specific measures that would need to be implemented by the companies would force them to address additional economic resources in order to be as compliant with the new regulation as possible. They will have to constantly update the measures implemented in order for them to be an adequate means of measuring, so as to avoid any potential data breach or leakage.

The General Data Protection Regulation is expected to have a considerable impact on the digital sector given that the digital economy is based on the exploitation and use of data. The compliance issues associated with the use of data would become essential to all personal data-based business activities. In this regard, the penalties included in the General Data Protection Regulation may persuade worldwide businesses intending to exploit EU citizen’s personal data to implement data protection measures and also to be concerned about privacy issues related to running their business.

Finally, the General Data Protection Regulation will not imply a complete harmonisation of the personal data protection regime in some specific areas, such as: (i) data sharing across a global company/binding corporate rules; (ii) academic, artistic or literary expression purposes; or (iii) data processed by electronic telecoms service providers which would still be enforceable by means of the Directive 95/46/EC.

Rafael Garcia del Poyo is a partner, Samuel Martinez is an associate director and Jon Lanz is an associate at Osborne Clarke. Mr del Poyo can be contacted on +34 60 884 8406 or by email: rafael.garciadelpoyo@osborneclarke.com. Mr Martinez can be contacted on +34 62 014 4377 or by email: samuel.martinez@osborneclarke.com. Mr Lanz can be contacted on +34 61 874 6608 or by email: jon.lanz@osborneclarke.com.